Opinion
Civil Action 22-1538-CJB
11-14-2023
BRITISH TELECOMMUNICATIONS PLC and BT AMERICAS, INC., Plaintiffs, v. PALO ALTO NETWORKS, INC., Defendant.
Philip A. Rovner, Jonathan A. Choa, POTTER ANDERSON & CORROON LLP, Wilmington, DE; Bart H. Williams, PROSKAUER ROSE LLP, Los Angeles, CA; Nolan M. Goldberg, Baldassare Vinti, PROSKAUER ROSE LLP, New York, NY; Edward Wang, PROSKAUER ROSE LLP, Washington, D.C., Attorneys for Plaintiffs. Brian E. Farnan, Michael J. Farnan, FARNAN, LLP, Wilmington, DE; Adrian C. Percer, WEIL GOTSHAL & MANGES LLP, Redwood Shores, CA; Anish R. Desai, Tom Yu, WEIL GOTSHAL & MANGES LLP, New York, NY; Priyata Y. Patel, WEIL GOTSHAL & MANGES LLP, Washington, D.C., Attorneys for Defendant.
Philip A. Rovner, Jonathan A. Choa, POTTER ANDERSON & CORROON LLP, Wilmington, DE; Bart H. Williams, PROSKAUER ROSE LLP, Los Angeles, CA; Nolan M. Goldberg, Baldassare Vinti, PROSKAUER ROSE LLP, New York, NY; Edward Wang, PROSKAUER ROSE LLP, Washington, D.C., Attorneys for Plaintiffs.
Brian E. Farnan, Michael J. Farnan, FARNAN, LLP, Wilmington, DE; Adrian C. Percer, WEIL GOTSHAL & MANGES LLP, Redwood Shores, CA; Anish R. Desai, Tom Yu, WEIL GOTSHAL & MANGES LLP, New York, NY; Priyata Y. Patel, WEIL GOTSHAL & MANGES LLP, Washington, D.C., Attorneys for Defendant.
MEMORANDUM OPINION AND ORDER
BURKE, JUDGE
As announced at the hearing on July 14, 2023, IT IS HEREBY ORDERED that Defendant Palo Alto Networks, Inc.'s (“Defendant”) motion to dismiss (the “motion”), (D.I. 11), which argues that Plaintiffs BT Americas, Inc. and British Telecommunications PLC's (“Plaintiffs”) asserted United States Patent No. 7,159,237 (the “'237 patent”) and United States Patent No. 7,895,641 (the “'641 patent”) are directed to non-patent-eligible subject matter pursuant to 35 U.S.C. § 101 (“Section 101”), is DENIED.
Defendant's motion was fully briefed as of April 10, 2023, (D.I. 31). The Court carefully reviewed all submissions in connection with Defendant's motion, heard oral argument, and applied the relevant legal standards for review of this type of Section 101-related motion at the pleading stage, which it has previously set out in Genedics, LLC v. Meta Co., Civil Action No. 17-1062-CJB, 2018 WL 3991474, at *2-5 (D. Del. Aug. 21, 2018).
The Court's Order is consistent with the bench ruling announced at the hearing on July 14, 2023, pertinent excerpts of which follow:
The first case in which I[ will] provide an opinion is British Telecommunications, PLC v. Palo Alto Networks, Inc. It[ is] Civil Action [No.] 22-1538-CJB. The Defendant, Palo Alto Networks, has filed a motion to dismiss pursuant to Rule 12(b)(6)[,] arguing that the complaint should be dismissed on Section 101-related subject matter eligibility [grounds].
Here, Plaintiffs[] British Telecommunications, PLC and BT Americas, Inc. filed suit alleging the infringement of two patents, the [] '237 patent[,] and [] the '641 patent. The patents are related. They share a common specification, and they have the same title, which is “Method and System for Dynamic Network Intrusion Monitoring Detection and Response.”
The '237 patent, as we will see, contains certain representative claims. And so, I will focus on that patent alone here. The patent has 42 claims in total. [D]efendant argues in its briefing that [c]laim 18 is representative for Section 101 purposes, [of] not only the independent claims in that patent, but of all independent claims in both patents that are being asserted in this case. And Plaintiffs never explicitly disputed in the briefing that [c]laim 18 was representative of the other asserted independent claims.
Claim 18 recites a security monitoring system for a computer network. The system utilizes a plurality of sensors, a secure operation center[,] or SOC[,] and at least one probe. And that probe is configured to do the following five things.
First, to collect status data from at least one sensor that monitors at least one component of the network. Second, to analyze that status data, to identify potential security-related threats wherein the analysis includes an initial filtering process, and then an additional analysis of what the patents call “post-filtering residue[,]” which is data that is “[n]either discarded nor selected” by the initial filtering process. Third, to transmit information about the identified events to an analyst associated with the SOC. Fourth, to receive feedback from an analyst based on empirically-derived information reflecting the operation of the security monitoring system. And, fifth, to dynamically modify [an] analysis[] capability of a probe based on that received feedback.
(D.I. 12 at 5)
(D.I. 31 at 1 n.1)
(See '237 patent, col. 36:38-63)
In [their] briefing, to the extent that they ever address a dependent claim in the patents, Plaintiffs mainly focus on the requirement found in [c]laim 14 of the '237 patent that requires that the analyst at the SOC or the SOC[ itself] otherwise[] utilizes “cross-probe correlation.” This is seen, for example, on [p]ages 5 and 12 of Plaintiff[s'] answering brief in which they make reference to [c]laim 14 and its computerized use of cross-probe correlation.
(Id., col. 36:28-29)
(D.I. 19 at 5, 12)
[In light of] this, the Court will focus on analyzing [c]laim 18 of the '237 patent, treating it as a representative claim for all asserted independent claims. And it will also address [c]laim 14 of that patent[,] in that Plaintiffs have suggested that that claim is representative of any dependent claims that discuss the addition of cross-probe correlation or its equivalent. Moreover, as a general matter, when the Court is discussing the specification of one of the two asserted patents, it will make use of the '237 patent specification[,] understanding that that specification is [] little different from the '641 patent specification.
In step one, Defendant argues that the asserted claims are directed to the abstract idea of “collecting, filtering, analyzing and transmitting data[,] and then making modifications based on human feedback.” Plaintiffs do[ not] contest in their briefing that the purported abstract idea here is, in fact, an abstract idea, and the Court concludes that it is. A claim to an abstract idea has been described by the [United States Court of Appeals for the] Federal Circuit as one directed to “a disembodied concept, a basic building block of human ingenuity[,] untethered from any real-world application.” The Defendant's proffered abstract idea seems to fit that characterization.
(D.I. 12 at 7-8)
CLS Bank Int'l v. Alice Corp. Pty. Ltd., 717 F.3d 1269, 1286 (Fed. Cir. 2013) (Lourie, J., concurring) (internal quotation marks and citation omitted).
Moreover, the Federal Circuit has explained that certain basic methods of utilizing data like th[is], standing alone, cannot amount to something more than an abstract idea. For example, in International Business Machines Corp. [v.] Zillow Group, Inc., the Federal Circuit said that, “[i]dentifying, analyzing and presenting certain data to a user is not an improvement specific to [computing]” [a]nd that “claims directed to collection of information[,] comprehending the meaning of that collected information[,] and indication of the results[,] all [o]n a generic network computer operating in its normal[,] expected manner” are claims directed to an abstract idea.
Int'l Bus. Machs. Corp. v. Zillow Grp., Inc., 50 F.4th 1371, 1378 (Fed. Cir. 2022) (internal quotation marks and citations omitted).
In Electric Power Group, LLC v[.] Alstom, S.A., the Federal Circuit said that[] “[merely] requiring the selection and manipulation [of] information[. . .]by itself does not transform” an otherwise abstract idea into something more. In cases like BASCOM Global Internet Services, Inc. v[.] AT&T Mobility, LLC, the Federal Circuit noted that “filtering content is an abstract idea because it is a long-standing, well-known method of organizing human behavior, similar to concepts previously found to be abstract.” And in[] In [r]e[] Rosenberg, the Federal Circuit explained that the idea of determining whether to “fine[-]tune” a system, including by providing instructions to modify certain procedures or parameters[,] amounts to an abstract idea.
Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1355 (Fed. Cir. 2016).
BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1348 (Fed. Cir. 2016).
In re Rosenberg, 813 Fed.Appx. 594, 596 (Fed. Cir. 2020).
So, we know that if it[ is] right to say that all these claims are directed to [is] collecting data and[/]or analyzing data, and[/]or filtering data, and[/]or transmitting data and[/]or modifying data based on analysis, well that cannot be enough to save the claims in step one.
But Plaintiffs contend that the '237 patent is not actually directed to the broad abstract idea [at issue] here and [is instead] directed to something more particularized. On that score[,] in their briefing, Plaintiffs assert that the claims are directed to “a specific architecture for detecting and responding to new and constantly evolving attacks on computer networks.”
(D.I. 19 at 16)
What is this more specific architecture that Plaintiffs speak of? Essentially in places like [p]ages 3 to 6 of their answering briefor in [p]aragraph [3]7 of their Complaint and, again, in oral argument here today, Plaintiffs have focused most directly on three different aspects of the claims.
(Id. at 3-6)
(D.I. 1 at ¶ 37)
First, they note that the claim[ed] systems and methods utilize a “tiered analysis” at the probe. By this they mean that first a probe uses “two different types of filters” to assess status data[-]a positive and negative filter that selects or discards data respectfully. And, second, that the probe then separately analyzes a middle ground[-]type of data that has . . . neither been selected or discarded by the filter[-]what the patents refer to as post-filtering residue.
Second, Plaintiffs highlight that the claimed systems and methods also use a “two-level review process”[-in] that a computerized analysis of this data occurs first at the probe level[, b]ut then the information gleaned about potential security-related events is sent to a human analyst for further review.
And[] third, Plaintiffs [note] that [] certain dependent claims like [c]laim 14[] require that the analysis performed at the SOC involves electronic cross-probe correlation, which the Court understands to mean that, as Plaintiffs suggested in [their] briefing, the system takes into account and analyzes status data obtained from multiple different probes, not just a single probe.
The [“]directed to[”] inquiry in step one applies a stage one filter to claims considered in light of the specification, based on whether their [“]character as a whole[”] or their [“]focus[”] is directed to exclude[ed] subject matter. As to how that inquiry should proceed, the Federal Circuit provides some guidance in Internet Patents Corp. v[.] Active Network, Inc. There, in order to ascertain at step one whether the claim's character as a whole was directed to an abstract idea, the Internet Patents Court examined the specification of the patent at issue. In doing so, it cited to what the patentee described in the specification as the “innovation over the prior art” and the “[essential], most important aspect” of the patent.
Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1335-36 (Fed. Cir. 2016) (internal quotation marks and citation omitted).
Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343 (Fed. Cir. 2015).
Id. at 1348 (internal quotation marks and citation omitted).
The Federal Circuit [has] also stated, however, that reliance on the specification must always yield to the claim language in identifying what a claim is directed to, because the concern that d[rives] the judicial exception to patentability is one of preemption [and] the claim language defines the breadth of each claim.
ChargePoint, Inc. v. SemaConnect, Inc., 920 F.3d 759, 766 (Fed. Cir. 2019).
In order to attack this step one question, then[,] the Court needs to determine: What is the focus of representative [c]laims[. . .]18 and 14 of the '237 patent[?] In looking at the patent specification, it[ is] pretty clear that some aspects of the specific architecture touted by Plaintiffs are not what the patent itself is saying it[ is] particularly focused on.
For example, it[ is] of course[] true that [c]laim 18 and [c]laim 14 include reference to, first, how the probe separately analyzes post-filtering residue after the initial filtering stage has occurred[, a]nd second, the analysis of status data by way of cross-probe correlation. But when one reads the patent, one sees that those post-filtering residue and cross-probe correlation concepts are actually little mentioned in the specification.
For example, the only time the specification mentions the concept of analyzing post-filtering residue comes in [c]olumn 8. There[, in] a description of an exemplary embodiment found in Figure 2[, t]he patent explains that after the system first filters the status data[] using a negative filter[ing] subsystem and a positive filtering subsystem[,] which selects “possibly interesting information” and forwards it on to the SOC[, t]hen[] “data neither discarded by the negative filtering subsystem . . . nor selected out as interesting by [the] positive filtering subsystem . . . form the ‘residue,' which is sent to anomaly engine 2050 for further analysis. Anomaly engine 2050 determines what residue information may be worthy of additional analysis and sends such information” for forwarding to the SOC.
('237 patent, col. 8:48-57)
And so far as the Court is aware, the only time the specification makes reference to the idea of cross-probe correlation comes in a few lines in [c]olumn 2 and [c]olumn 3. In [c]olumn 2, for example, the patent states that, “[f]urthermore, data filtering and analysis can include cross-product analysis, which allows the probe[/]sentry system to correlate and recognize such multiple sensor readings as reflecting the same [happening]. Such features ensure that the invention is capable of the rapid refinement necessary to combat [network] attacks.” Additionally, there[ is] a brief reference to “cross-correlation” and “cross-analysis” in [c]olumn 3 of the patent.
(Id., col. 2:26-32)
(Id., col. 3:17)
But in general, the specification indicates that the patent's focus or its character as a whole is not really attuned to those two concepts[.] Instead, the patent reads as if its focus is [] on the general concept of filtering and analyzing status data and doing so via the two-level review process that Plaintiffs spoke of in their briefing. In other words, having one computerized review process occur at the probe and then another human analyst[-]based review process occur at the SOC.
That the patent's focus is on this two-level review process is seen first by looking at the [A]bstract. There[,] the patent explains that the inventions described therein are about how “[a] probe attached to a customer's network collects status data and other audit information from monitored components of the network[,] looking for footprints or evidence of unauthorized intrusions or attack[s]. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network[. I]dentif[ied] events [] are transmitted to [a] human analyst[] for problem resolution.” After discussing the types of resources that a human analyst might use, the [A]bstract concludes by noting the feedback from the analyst: “Problem resolution [efforts] can be used to update the knowledge base available to analysts for future attacks and to update the filtering and analysis capabilities of the probe [and] other systems.” There[ is] no specific mention there of analyzing post-filtering residue or the use of cross-probe correlation, for example.
(Id. at Abstract)
(Id.)
So, too, in the patent's Background of the Invention section. There, the patent explains how [prior art] computer and network security products[,] like firewalls []or authentication mechanisms or encryption[,] were focused on preventing outside intrusion into an internal network. But the patent explains that because those computerized processes do[ not] always work perfectly, it[ is] also helpful to have “monitoring[,] detection and response in the event of a breach.” That said, the patent explains that system administrators cannot easily play [this] additional monitoring role, [in] that they “normally do not have the time or ability to read through large amounts of constantly update[ed] audit information[,] looking for attacks on their systems.[] []They also do not have the time to continuously monitor hacker activities[,] looking out for new tactics, tools and trends.[] []Finally, they do[ not] have the time to become experts on every kind of intrusion and to maintain that expertise.” Therefore, here the patent concludes by noting that what[ is] needed is a system that both employs “automatic defenses” that work against automated attacks, but that also utilizes “human intelligence” and that “takes advantage of security intelligence and other knowledge[] databases” in order to provide “the kind of intelligent defense offered by the present invention.” In other words, here the patent seems to be saying that its focus is on providing the two-level review process[-o]ne part computer[-]based, one part human[-]based[-]that Plaintiffs speak of.
(Id., col. 1:21-22)
(Id., col. 1:26-30)
(Id.)
(Id., col. 1:35-42)
This conclusion is also borne out in reviewing [t]he Summary of [t]he Invention section of the patent. As the Court[ has] noted, there are a few brief references in [c]olumns 2 and 3 in th[is] section to the benefit of the system[']s taking into account crossprobe correlation. But the entirety of the rest of the section which spans [c]olumns 2 through [3,] is really talking at a high level about the benefits of a two-level system for intrusion detection[:] one that incorporates the work of a probe or sentry system that filters data and does a preliminary threa[t ]analysis [a]nd one that also incorporates human analysts to further sift through that data and provide feedback. And[,] this section does[ not] mention specifically the particular benefit of having the probe select out and then separately review post-filtering residue even once.
(Id., cols. 2:35-3:52)
So, all this begs the question: If the patent[ is] focused on the use of a two-level system for detecting security threats, does that concept amount only to simply “collecting, filtering, analyzing and transmitting data[] and then making modifications based on human feedback?” For our purposes here, and the Court will assume[ arguendo], yes.
The Court will take this path because these portions of the patent seem to be telling us that what the claim is about is that having the computerized probe filter status data and analyze it, and then later having a human do a second-level set of analysis of certain data that[ has] been passed along. There[ is] nothing more in the claims about how the probe or the human analyst must do that filtering [or] analysis[,] or what type of feedback or modifications must be provided by the analyst.
Moreover, [one] way of assessing whether claims [are] directed to an abstract idea is to ask whether the claim is directed to an improvement in computer functionality, or instead [to whether] the computer is simply being used as [a] tool[] to aid in carrying out the abstract idea itself. And here, there[ is] no other indication in the patent that either of these two high-level levels of review of status data implement[ an] improvement to the way that computers work. For example, Plaintiffs do[ not] contend that the claim[s'] use of computer-based positive and negative filter[ing] or analysis in any way represents a new computerized method of performing this type of work. Indeed, in [c]olumn 8, the patent suggests that it[ is] not. Moreover, as was noted above in the Court's discussion of [the] Background of [t]he Invention section of the patent, the patent explains that the role of the human analyst is to allow the claim[ed] system to engage in the type of data analysis that a human can do, but th[at] system administrators simply do[ not] have the time to do, since they can[not] “read through large amounts of constantly updated audit information[.]” As Defendant noted in its opening brief, [“]this is []not an improvement to computer functionality[; i]t simply supplements one human[ (]the administrator[)] with another[ human ] [(]an analyst[)].”
Customedia Techs., LLC v. Dish Network Corp., 951 F.3d 1359, 1364 (Fed. Cir. 2020).
(See, e.g., '237 patent, col. 8:57-59; D.I. 31 at 5)
('237 patent, col. 1:25-32)
(D.I. 12 at 11)
Now, the Court does[ not] necessarily agree with Defendant's contention that the patent is directed solely to a “human solution[,] not a technical solution.” It would be more accurate to say[ that] with its focus on this two-level review of status data, the patent[ is] directed to the combination of a human solution and a computer-based solution.
(D.I. 31 at 2)
But when describing [and] claiming this two-level solution, it[ is] as if the patent simply said that it was claiming the following idea: Use a computer to filter and analyze status data [(]in a manner indistinguishable [from] how computers already do this[)] and then use a human to further analyze status data and provide some feedback on it[. N]othing more. It[ is] difficult to see how this combined concept[,] which simply seems to be about layering together two broad ways of collecting, filtering and analyzing data in order to provide feedback, is meaningfully different from the Defendant['s] articulation of the abstract idea.
(Id. at 3)
And so, the Court agrees, for our purposes here, that the claims are directed to the proffered abstract idea in Alice's step one.
I now turn to step two of the Alice framework. At step two, the Court[ is] required to assess what else is in the claim, beyond the abstract idea, in order to determine whether the additional elements in the claim, either viewed independently or as an ordered combination, transform the nature of the claim into a patent[-]eligible application of the abstract idea.
See Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 217-18 (2014).
With respect to computer functionality[-]based claims, like those at issue here, the Federal Circuit has stated that such claims can include an inventive concept where they provide a technological solution to a technological problem. At step two, for the role of the computer to be meaningful in the context of the Section 101 analysis, it must involve more than the performance of well-understood[,] routine and conventional activities previously known in the industry.
See Amdocs (Isr.) Ltd. v. Openet Telecom, Inc., 841 F.3d 1288, 1300-02 (Fed. Cir. 2016).
Content Extraction & Transmission LLC v. Wells Fargo Bank, Nat'l Ass'n, 776 F.3d 1343, 1347-48 (Fed. Cir. 2014).
I will say that I think the step two question here was a difficult one to resolve. Reasonable minds could disagree about how one should come out. Let me explain, though, why I am determining that the record indicates the presence of a factual dispute[ at]step two sufficient to warrant denial of the Defendant's motion.
At times in the briefing and in the Complaint, such as in [p]aragraph 29 of the Complaint, Plaintiffs note that [the] claim[ed] systems and[] methods amounted to a []novel[] architecture for unearthing and addressing network intrusions.And the Court must accept those allegations of novelty as true at the pleading stage[.] [B]ut that alone would[ not] be enough to get Plaintiffs over the hump at step two. That[ is] because there[ is] a difference between the concept of novelty and patent eligibility in [federal] patent[ law]. The Federal Circuit[ has] explained that whether a particular element or combination of elements is novel does[ not] necessarily [go to] whether that element[ is] patent eligible. Put differently, as the Federal Circuit stated in [] Synopsys, Inc. v[.] Mentor Graphics [Corp.], a claim for a new abstract idea is still an abstract idea.
(D.I. 1 at ¶ 29; see also D.I. 19 at 19-20)
Two-Way Media v. Comcast Cable Commc'ns, LLC, 874 F.3d 1329, 1339-40 (Fed. Cir. 2017); Intell. Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1315 (Fed. Cir. 2016).
Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1151 (Fed. Cir. 2016).
Nor [in] the Court's view is there any indication that any of the remaining components of the representative claims, were they standing alone, would amount to anything other than use of generic computer components to perform well-known computer functions. Claim 18, for example, utilizes sensors, a secure operation center and at least one probe. But as the Defendant notes, the patent tells us at [c]olumn 4 that any such technology utilizing those claim elements[] was well known and commercially available. So, the use of these computer hardware[-]based limitations in the claims do little more than spell out what it means to apply the abstract idea on a computer. Moreover, [claim 18's] additional step of analyzing post-filtering residue appears to make use of, according to [c]olumn 8 of the patent, a type of well-known data discrimination analysis. And [c]laim 14's reference to the use of cross-probe correlation is not suggested on its own to be a new use of computer technology.
('237 patent, col. 4:48-52)
See Intell. Ventures I LLC v. Cap. One Bank (USA)., 792 F.3d 1363, 1370 (Fed. Cir. 2015).
('237 patent, col. 8:57-58)
That said, we also [know] from the Federal Circuit's decision in BASCOM that the claim[s'] use of an ordered combination of otherwise known conventional elements can still amount to an inventive concept in step two. And in the Court's view, there is just enough in the record to render it plausible that the representative claims include[ an] inventive concept by way of their use of an ordered combination of known elements in an unconventional way[,] as part of the claim[ed] security [system and methods].
See generally BASCOM, 827 F.3d at 1349-50.
Here, it[ is] the claim[s'] combination of the two-level review process with the added more specific step of having the computer probe th[e]n additionally analyze[] post-filtering residue[-p]lus, in at least some dependent claims, the computer's additional use of data obtained from multiple probes[-]that could represent the requisite ordered combination of elements.
Of course, one might say, as Defendant does, that the claim[s'] additional assessment of post-filtering residue or the correlation of status data from multiple probes is just another way of piling the use of one abstract idea on to another. In other words, one could argue that the second post-filtering residue analysis step is just another way of saying [“]analyze data[,”] or that the cross-probe correlation step is just another way of saying [“]correlate data[.” A]nd that both of those things are just additional ways to make use of abstract ideas.
(D.I. 12 at 12-13)
And one could also argue, as Defendant does, that [the] claims do not tell us any more about how the claim[ed] systems or methods analyze post-filtering residue or how they correlate information from different probes[-]such that the addition of those other steps cannot provide an inventive concept[ here]. And it[ is] true, the claims do[ not] provide this additional indication of how the systems or methods do this particular work. Moreover, they certainly do[ not] describe some further technical means for performing these functions.
(Id. at 12, 18)
But the Court is not completely convinced that the way Defendant is looking at these issues is the right way to do so for purposes of [the Court's] review here. A couple of cases from the Federal Circuit convince the Court that this is so.
Particularly, one. And there the Court looks to the Federal Circuit's decision in SRI International, Inc. v[.] Cisco Systems, Inc., the case that Plaintiffs have identified as the most analogous Federal Circuit opinion to this case. The Court agrees with Plaintiffs that SRI, although it was decided at the step one stage[,] not at step two, is very helpful to their argument here.
SRI Int'l, Inc. v. Cisco Sys., Inc., 930 F.3d 1295 (Fed. Cir. 2019).
In SRI, the representative claim was to a computer-automated method of hierarchical[] event monitoring and analysis within a network. The claim[] performed this method by, first, deploying more than one network monitor to detect suspicious activity based on analysis of at least one of certain categories of network traffic[ data, s]econd, by having those monitors generate reports of suspicious activity [a]nd, third, by having those reports be received or integrated by one or more [hierarchical] monitors.
Id. at. 1301.
At step one, the SRI Court found that the claim was not simply directed to the abstract idea of collecting and analyzing data.This was even though the steps of the claim[] were fairly basic and functional in the[ir] requirements[,] in that one aspect of it simply required an [“]analysis of network traffic[ data” a]nd another simply required that the monitors “generate[] reports[]” [a]nd a third only said that the monitors must be “receiving and integrating [the] reports,” nothing more. Yet, the SRI Court did[ not] conclude that this me[ant that] the claims were simply about collecting and analyzing data.
Id. at 1303-04.
Id. at. 1301.
Instead, in determining that the claims[] nevertheless[] were directed to something more, the Court looked at the patent specification. The specification explained that the claimed invention solved weaknesses in conventional networks in order to fix a technological problem and provide a “framework for the recognition of more global threats [to] inter[]domain connectivity, including coordinated attempts to infiltrate or destroy connectivity across an entire network[ enterprise.]” This was enough to ensure the Court that the computers used in the claim were not added simply “as a tool” to automate conventional activity, but instead were claims that improved the functionality of the computers and computer networks themselves.
Id. at 1303-04 (internal quotation marks and citation omitted).
Id. at. 1304.
The SRI Court came to this conclusion[] even though the claim did not specify how the network monitors detected suspicious activity or analyzed data [(]beyond the requirement that they use at least one of the categories [of data] mentioned in the claim[)], or how they generated reports of suspicious activity, or how they received and integrated those reports. Despite this, SRI concluded that the claims were directed to what i[t] called a “specific technique . . . using a plurality of network monitors that each analyze[] specific types of data on the net[work] and integrating reports from the monitors[-]to solve a technological problem arising in computer networks[: ] identifying hackers or potential intruders to the network.”
Id. at 1303.
Now, unlike in SRI, as I[ have] noted above, the patent[s'] specification does[ not] say a lot about the claim[s'] additional use of the probes to analyze post-filtering residue[,] or the claim[s'] use of data f[rom] multiple probes and how[ (]when combined with the two-level filtering analysis process[)] this might amount to an unconventional use of computer technology. A[s] the Court mentioned, there are some references in the specification to these additional concepts in [c]olumns 2, 3 and 8, but they[ are] certainly not highlighted or described in a really fulsome manner.
That said, the Complaint does fill in some of these blanks. Paragraph 38 of the Complaint is particularly relevant[ here]. Therein, Plaintiffs state that the architecture of the patent was “novel and unconventional[,” a]nd in explaining why that was so, they cite to the [E]xaminer's Notice of Allowability regarding the '237 patent. Therein, the [E]xaminer stated that, [t]ypically [in] network security systems “all data is filtered by intrusion detection, firewall, gateway, proxy, sensor, probe, or sentry or some other type of device[,” ] such that if [“]an attack occurs, the data is transmitted for further analysis.” [But t]he [E]xaminer noted that in such systems “[a]ll other data is usually blocked or discarded[.]” The Notice of Allowability also states that [“]prior art does not disclose or suggest data [neither] discarded by [] negative or positive is the residue that is sent for further analysis.[”] The Court understands this to be an indication that while it was conventional for intrusion detection systems to use a filtering system like that described in the claims-that is, one that filters status data into positive or negative categories to be either further reviewed[ (]because it[ is] known to be threatening[)] or otherwise discarded-those systems were not using probes to then additionally further analyze data that fell somewhere in between those two poles [(]or what the patents here describe as “residue” data[)]. Additionally, [p]aragraph 38 of the Complaint states that the computer-based use of and correlation of data from different probes was also “a significant improvement to existing computer security technology at the time[]” [i]n that[] “previous conventional security systems were constrained to pattern matching at a single point in the network.”
(D.I. 1 at ¶ 38)
(Id. (internal quotation marks and citation omitted))
(Id. (internal quotation marks and citation omitted))
(U.S. Patent Application No. 09/766,343, Notice of Allowability at 4, ¶ 6 (cited in D.I. 1 at ¶ 38))
(D.I. 19 at 3)
(D.I. 1 at ¶ 38)
So, as in SRI, here the record provides at least some[-]not a lot, but at least some[-]factual support for the idea that the claims could contain a specific solution to a problem faced in the computer[] network security field, and that the solution is at least significant[ly] [(]though not exclusively[)] rooted in computer technology. That [is] so, as in SRI, even though the claims do[ not] specify every detail of how the claimed systems in the patents protect against network intrusion[.] And as in SRI, even though the claims[,] looked at []one [way], [] might be said to simply be about collecting[] and filtering and analyzing data[, i]t seems like that may not be the right way to view [them] at step two. Instead, it seems like the claims could be[ (]maybe should be[)] viewed, at least at the pleading stage, as plausibly employing a “specific technique” to assess status data[-]one that utilizes a partly computerized, two-level filtering system[, and then] uses the computerized probe to additionally assess residue data in combination with that two-level system in a way that was[ not] being done before. And that[] also, in some dependent claims[,] makes use of data f[rom] multiple probes in a way that computerized programs were[ not] doing[ before].
One last point about SRI. Defendant [notes] that one of the justifications[ (]though not the only one[)] that the Federal Circuit used in that case to support its decision[] was that the Court tended to agree with the [p]laintiff that “the human mind is not equipped to detect suspicious activity by using network monitors and analyzing network packets as recited by the claims.” And Defendant contrasts that with the scenario here, arguing that it is clear from the record that the human mind is equipped to do everything that [c]laim 18 can do[,] in a similar way that a nonhuman could do[ it]. Obviously, some elements of [c]laim 18 do involve a human analyst[. S]o it seems hard to dispute Defendant's contention as to those elements. But the claim does have other elements[,] such as the probe's use of positive and negative filtering. Now, it may be the case that a human could play that filtering role in a similar way to what the probe does here[. But] I do[ not] have a great record to support that assertion[, a]nd I can[not] wholly rely on the arguments of counsel on that point. I[ am] not saying that a better record on this issue in and of itself would make the difference in Defendant's favor in [the] case[-]dispositive stage of the case. All I[ am] saying is that if it w[ould], that stage would be the right stage to fully assess the record on that issue, not the pleading[] stage.
SRI Int'l, Inc., 930 F.3d at 1304.
In addition to SRI, the representative claims here also do[ not] seem all that different to the Court than the claims at issue in Thales Visionix Inc. v[.] United States, another Federal Circuit case. Claim 22 in Thales was exemplary[,] and it was brief[]. In two lines, it recited a method of determining an object's orientation based on the outputs of two inertial sensors that were mounted[,] respectively[,] on the object[] and [a] moving reference [frame].The specification explained how conventional methods [for tracking] an object's motion were flawed, and that the patent's invention provided multiple advantages, including increased accuracy[ and] the ability to operate without requiring hardware[,] and simple installation.
Thales Visionix Inc. v. United States, 850 F.3d 1343 (Fed. Cir. 2017).
Id. at 1345.
Id.
[In] finding [at] step one [that] the claim and another representative claim were not directed to the abstract idea of [“]using laws of nature governing motion to track two objects[” t]he Federal Circuit noted that, instead, the “claims specify a particular configuration of inertial sensors and a particular method of using the raw data from the sensors in order to more accurately calculate the position and orientation of an object on a moving platform.” Now, the Federal Circuit said this even though[,] like here, [c]laim 22 did not specify how to determine the orientation of the object or what process or formulas were used to do that. The claim just said that [you do so] “based on” signals from their respective two sensors.Nor d[id] the claims say how those sensors work[ed] to provide signals. And the sensors used in Thales, like the probes and sensors used here, were conventional in the art.
Id. at 1346, 1349 (emphasis added).
Id. at 1345.
Id. at 1344-45.
Nevertheless, it was enough for the Federal Circuit that the configuration[] of the sensors was a “particular” one[ or]was used in a “particular method” for collecting data. In other words, sufficient particularity was demonstrated by the fact that the sensors were specified to be placed in two different positions[(]an object and a moving reference frame[)], so long as the patent or the record helped make clear how that particular arrangement solved the technological problem. Similarly, here, it[ is] at least plausible that the claims at issue contain a similar level of particularity[-in] that a probe is used to do positive and negative filtering, and then is used a second time to assess residual status [data-a]nd th[at] in certain claims[,] data from multiple [probes] is utilized. As noted above, the record contains indication [that this ordered combination] of steps[,] taken together with the rest of the elements of the claims at issue, amounted to unconventional ways to use computerized probes in order to solve a problem in computer securit[y].
Id. at 1349.
Lastly, the Court [notes] that the Supreme Court has stated [that] the eligibility analysis is driven by the concern of preemption.The preemption analysis in turn compels a Court to assess whether the claims at issue attempt to preempt every application[,] or at least a great many applications[,] of the abstract at issue.
Alice Corp. Pty. Ltd., 573 U.S. at 216.
DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1259 (Fed. Cir. 2014).
And, here, in the Court's view, the record provides at least some indication that the claims do[ not] preempt all [ways,] and perhaps do[ not] even preempt very many [ways,] of “collecting, filtering, analyzing[,] and transmitting data[,] and then making modifications based on human feedback.” Paragraph 38 in the Complaint tells us that one could simply collect and analyze status data by [] using a positive and negative filter without[] also[ (]as the claims do[)] then using the probe again to reassess residual data that did[ not] fall into the positive or negative categories of the first filtering stage. And it also tells us that one could collect, filter and analyze data only by using one probe instead of[ (]as in certain dependent claims here[)] by obtaining and correlating information from multiple probes. The extent to which the claims do not preempt the field of the abstract idea is a fact question, not [amenable] to resolution at the Rule 12 stage, at least based on this record.
So, for all these reasons, the Court denies Defendant's motion at step two of the Alice analysis[,] without prejudice to Defendant's ability to re-raise the issue at the case dispositive motion stage.